Commit 8461e9acfbf7783e69489a4bdd6a24532bd4e33a to puppet-keystone changed the way user roles are managed, by not creating automatically the _member_ role anymore, and removing option 'tenant' from the keystone_user provider.
To verify this bug is fixed run: packstack --allione Packstack should finish succesfully
# . keystonerc_admin # keystone role-list +----------------------------------+------------------+ | id | name | +----------------------------------+------------------+ | 9aeff25940b14f4e960b5a6da5d2092c | ResellerAdmin | | a02ecafd374948bf88b231c3687ce4a6 | SwiftOperator | | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | 7f23b1fcc9684578a0c42c62847dc7b3 | admin | | 3a08d2ac185d4d96bc4e439a73485fab | heat_stack_owner | | 429ba44420c64df181d676ef3ca6899b | heat_stack_user | +----------------------------------+------------------+ From the 1st comment, _member_ should not be created. Does it mean that the fix failed?
Hi Amit, nope. Linked patch in gerrit was actually to create _member_ role, so the fix did the job. Ivan, as a follow-up I would also like to see to fix this via Puppet modules. I'm thinking if the role creation was not moved to other Puppet class. If not we should at least submit upstream bug. I see that as a regression TBH.
Verified for openstack-packstack-7.0.0-0.10.dev1684.g87ec498.el7ost (current puddle). The command below finished ok # packstack --allinone Checked if the _member_ role is present # source keystonerc_admin # openstack role list +----------------------------------+---------------+ | ID | Name | +----------------------------------+---------------+ | 37d659237e184b5aa7d08e255471ddf5 | SwiftOperator | | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | e04ed2b1f5834f11b4d7387bdfffa96f | admin | | f13fc454d8ed4fa0862d2137caeec96d | ResellerAdmin | +----------------------------------+---------------+ Checked if the "project_id" property is no longer displayed for a user (meaning the correct configuration after the "tenant" field removal) # openstack user show admin +----------+----------------------------------+ | Field | Value | +----------+----------------------------------+ | email | root@localhost | | enabled | True | | id | 2a74833cb0e34106b55c10521cfb0482 | | name | admin | | username | admin | +----------+----------------------------------+
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0603.html